RSS

Flutter: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

brazukadev1 pts0 comments

Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

Threat Research Center<br>Threat Research<br>Malware

Malware<br>Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

17 min read

Related ProductsAdvanced WildFireCloud-Delivered Security ServicesCortexCortex XDRCortex XSIAMUnit 42 Incident Response

By:Ido Asher<br>Noa Dekel<br>Tom Fakterman

Published:June 2, 2026

Categories:Malware<br>Threat Research

Tags:CL-CRI-1089<br>MacOS<br>Malvertising

Share

Executive Summary

We are tracking an increasingly widespread malvertising campaign targeting macOS. This campaign appears to be the next stage of a previous campaign known as JSCoreRunner, which was first identified in August 2025. In recent months, the financially-motivated attackers behind these campaigns transitioned from delivering standard adware, to delivering adware with full backdoor capabilities. We designate this campaign Operation FlutterBridge, and we call the payload that it delivers FlutterShell.

Built using the Flutter framework, FlutterShell infects targets with adware via malicious desktop applications. In addition to its adware functionality, the payload possesses backdoor capabilities, including shell command execution and file system manipulation. Some variants weaponize artificial intelligence (AI) summarization features for data exfiltration by routing documents through an attacker-controlled server before processing them. The FlutterShell malware strain appears to be under active development, with new improvements being rapidly integrated into the code.

Operation FlutterBridge targets a global audience through an extensive Google Ads campaign, with an emphasis on Anglophone and Western European markets, distributed via hundreds of Google-verified advertisements. Our research indicates that the attackers behind this cluster distributed the ads using a series of shell companies, to bypass ad-network vetting and orchestrate these attacks at scale.

We reported these advertisers to Google, which provided the following statement:

Malware has no place on our platforms, and we’ve suspended these advertiser accounts for violating our policies.

We track Operation FlutterBridge and the JSCoreRunner campaign under a cluster of activity that we refer to as CL-CRI-1089.

This article provides a technical overview of the FlutterShell macOS malware and the delivery network behind the malvertising campaigns.

Palo Alto Networks customers are better protected from the threats described in this article through the following products and services:

Advanced WildFire

Advanced URL Filtering and Advanced DNS Security

Cortex Agentix Threat Intel Agent

Cortex XDR and XSIAM

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics<br>macOS , Malvertising

Campaign Background

CL-CRI-1089 is a cybercrime cluster of activity that has been operational since at least 2023. The attackers behind this cluster are responsible for spreading malicious payloads via malvertising campaigns, targeting both Windows and macOS users through separate, ongoing operations.

The attackers’ modus operandi is consistent across these operations: They distributed malicious advertisements using a network of Google-verified shell companies. These ads were designed to trick targets into deploying malware that masquerades as legitimate desktop applications. While in-the-wild observations suggest the malware functions primarily as adware, it possesses capabilities for far more dangerous behavior, effectively functioning as a backdoor.

Operations attributed to this cluster include the RecipeLister and Calendaromatic Windows campaigns, as well as the JSCoreRunner macOS campaign. The Windows activity was previously tracked by other vendors under the broader “TamperedChef” designation, before Unit 42 researchers deconstructed the activity into distinct clusters. In late 2025, the attackers expanded their operations with Operation FlutterBridge, deploying a new macOS backdoor identified as FlutterShell.

Overview of the FlutterShell Malware

FlutterShell is a macOS backdoor developed using the Flutter framework and designed to masquerade as legitimate software. FlutterShell’s authors implemented a WebView-based architecture that utilizes a JavaScript-to-native bridge. This design allows the attackers to host malicious logic on an external website, rather than hardcoding it into the binary. This enables the attackers to dynamically alter FlutterShell's behavior in real time, without needing to recompile or redistribute the application.

FlutterShell has a set of built-in commands that provide attackers with the following capabilities:

Arbitrary command execution

File system interaction

Environment variables exfiltration

During our investigation, we observed FlutterShell being used as adware. Upon execution, the malware modifies Google Chrome...

fluttershell macos campaign malware malvertising backdoor

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.